Fatigue fears over bug bounty programs
People have day jobs, so only grab low-hanging fruit
Bug bounty fatigue means that bounty hunters are only picking up the easy-to-find flaws while leaving more difficult-to-tease-out vulnerabilities undiscovered, according to a security testing organization.
High-Tech Bridge said its mix of automated scanning and manual inspection is unearthing problems at organizations that make use of bug bounty programs.
“Companies are starting to experience bug bounty fatigue – when researchers have already found all simple and easily detectable vulnerabilities, and hesitate to spend days and nights searching for more advanced vectors of attacks and exploitations,” according to High-Tech Bridge (HTB).
In HTB’s web security testing practice, nine in ten companies with public or private bug bounty programs have at least two high- or critical-risk vulnerabilities detected in less than three days of professional auditing, and missed by the crowd due to detection and exploitation complexity.
Crowdsourced security testing firm Synack acknowledged HTB had a point about “bug bounty fatigue,” while still arguing that properly organized and incentivized teams of researchers can look beyond “low-hanging fruit” to find more obscure flaws.
Jay Kaplan, Synack’s chief exec, commented: “It’s true that companies can easily start to feel ‘bug bounty fatigue’ when researchers continuously go after the low-hanging fruit and hesitate to spend long hours searching for more critical vulnerabilities. This is understandable – many of these researchers have day jobs as security professionals and participate in bug bounty programs at night or on weekends, so they want to maximize their time.”
Kaplan argues that Synack’s man-led, machine-supported approach offers a way to more systematically search for flaws.
“Finding the low-hanging fruit is a repetitive task that can be automated – that’s why we built a vulnerability intelligence platform, Hydra, to find the easy stuff and point the researchers in the right direction,” according to Kaplan.
“The advanced vectors of attack, however, require human ingenuity, creativity, and expertise to find – to discover these critical vulnerabilities, we recruit and field a crowd consisting of the top 10% of the world's most skilled, trusted ethical hackers and heavily incentivize them to mimic the attack of an advanced adversary.”
While bug bounty programs can find vulnerabilities, they often do not go far enough, both HTB and Synack agree. Hybrid approaches that draw together aspects of bug bounty and vendor-led approaches are possible.
“The [US] Department of Defense operates a two-pronged effort through its Hack the Pentagon program – while it leverages an open bug bounty model for its public domains, it uses Synack’s private, managed, man-and-machine approach for its mission-critical IT assets,” explained Kaplan. ®